Informed Consent: How to Collect Data Without Risking Penalties

You know those contact forms where you have to click “I Agree” or you can’t move forward? Or those WhatsApp messages where a company messages you even though you’ve never given them your number? Well, that’s not consent. It’s a trap that can cost you dearly, because the Data Protection Authority doesn’t distinguish between large corporations and small businesses.

You don’t have to be a Nordic electronics giant to end up in their crosshairs. All it takes is a poorly designed form on your website or a promotional message sent to the wrong customer. There’s only one lesson here: collecting data without a genuine, informed, and documented “yes” is like driving without insurance. You might get lucky for a while, but when you get pulled over, you’re in serious trouble.

What Informed Consent Really Is—and Why It’s Not Just “Bureaucracy”

Informed consent isn’t just checking a box. It’s the act by which a person authorizes you to use their data after fully understanding exactly what you’ll do with it. Attorney Ticozzi explains it well: it’s a pact of trust. If the client doesn’t understand, the consent is worthless.

When you collect an email address to send a quote, you’re asking for permission. You’re not just filling out a form. That’s the whole difference. The GDPR isn’t an enemy that complicates your life; it’s the tool that forces you to be clear. And clarity, in 2026, is the best calling card for any business.

What mistakes lead to fines?

Fines aren’t imposed for a one-time technical error. They’re imposed when consent is fake or coerced. Matrice Digitale’s GDPR guide is clear: confusing banners, pre-checked boxes, and text written in “legalese” that no one reads are the surest path to a citation.

The most common mistakes I see in small businesses have to do precisely with how data is collected. Using pre-filled forms is the first problem, because consent must be an active action on the user’s part—not a default choice you’ve set. That’s not enough: you must specify the exact purpose, whether it’s a quote, an appointment, or an offer. The third mistake is making it difficult to opt out. If a customer has to click three times to say “no” but only once to say “yes,” you’re in violation of the regulations.

How to Handle Consent in Everyday Conversations

WhatsApp is your main sales channel, whether you run a clothing store or a dental practice. However, every chat is a potential data collection opportunity. When a customer messages you, “I’d like a quote,” you reply and start gathering information—and that’s when your obligation to provide a privacy notice kicks in.

You don’t have to become a lawyer. You just need to be transparent from the very first message. If you use WhatsApp Business, set up a welcome message that clearly states: “The data you provide in this chat will be used solely to process your request. We will not share it with third parties.” Two sentences, no legal jargon, maximum protection for you and the person messaging you.

If manually managing every conversation and remembering to include the privacy notice each time seems complicated, you can automate this process. Leader24 lets you set up automated replies that include the privacy notice, so every lead receives the correct information without you having to think about it each time. Compliance becomes part of the process, not an extra thing to worry about.

Practical Tools to Stay Compliant Without Going Crazy

You don’t need a law degree. You need three practical steps. The first is an up-to-date policy generator, because creating a compliant privacy policy and cookie policy is no longer a Herculean task: there are platforms that do it automatically and notify you when regulations change.

The second is a booking system that integrates the privacy policy. If you manage appointments, make sure the link to your privacy policy is visible on the booking form—not hidden at the very bottom after scrolling down five times. The third is to centralize requests, because having all conversations in one place lets you keep track of who gave consent, when, and for what. If a customer ever asks you, “What do you do with my data?”, you’ll have the answer in three seconds instead of rummaging through emails, chats, and scraps of paper.

What to Do If a Customer Asks, “What Do You Do With My Data?”

The question comes up. It always does. And if you stumble over your words, you’ve lost not only that customer’s trust but potentially the case as well if the customer decides to file a complaint. Prepare a standard, simple, and honest response, something like: “We use your data only to process the order you’ve requested. We don’t sell or share it with anyone. You can ask us to delete it at any time by writing to us here.” Print this sentence and stick it on your monitor so your staff knows it by heart.

Clarity is your most powerful legal defense. A customer who receives a straightforward and transparent response won’t go to the Data Protection Authority. A customer who gets brushed off or receives vague answers—that’s the one who might decide to look into it further.

The First Step to Sleeping Soundly

Don’t try to fix everything today. You won’t be able to, and you’ll end up making things worse. Start with a simple overview: where do you collect data in your business? Website, WhatsApp, paper form, phone. Note down each point.

Then take the main contact form you use—the one on your website or the standard message you send on WhatsApp. Read it as if you were a customer who knows nothing about the law. Is it clear? Does the user understand what you’re going to do with their phone number? If the answer is no, rewrite it today using words even a teenager would understand. Simplicity is the highest form of legal protection there is.

Frequently Asked Questions

Do I need to have every customer who messages me on WhatsApp sign a consent form?

No, a signed form isn’t necessary. However, you must make it clear—right from the first messages—how you’ll handle the data the customer is providing. An automated welcome message containing the essential information is sufficient to ensure transparency and compliance.

Can I send promotional offers to customers who have already purchased from me?

It depends. If the customer hasn’t given specific consent for marketing purposes, you can’t use their data to send promotions. Consent for sales and consent for marketing are two distinct things. You must have both, separately and documented.

If I buy a contact database, can I contact those people?

No, that’s the fastest way to get fined. Consent must be given directly to you, in an informed and specific manner. A purchased database has no legal value under the GDPR, even if the seller swears otherwise.

Leader24 Insights

If you’d like to learn more about how Leader24 addresses these topics, here are some resources to get you started:

• Real-world client examples
• Solutions for your industry